Researchers disclose WhatsApp contact discovery vulnerability that identifies 3.5 billion users

Security researchers from the University of Vienna and SBA Research have disclosed a now-patched vulnerability that can enumerate around 3.5 billion WhatsApp accounts using the app's contact discovery feature.

The collected data includes a user's phone number, public encryption keys, and timestamps. If set to public, a threat actor can also access profile pictures and "about" text. This data can be used to infer other information, such as the account's operating system, account age, and even the number of linked devices.

The researchers also identified millions of active WhatsApp accounts in countries where the app was banned, such as China, Iran, and Myanmar. Furthermore, they were able to recognize users of unofficial WhatsApp clients that reuse cryptographic keys.

Around half of all affected accounts appeared in a 2021 Facebook data breach of over 500 million phone numbers. This means that leaked phone numbers would have encountered increased risk of being targeted by spam calls if this vulnerability was exploited.

Contact discovery works when WhatsApp obtains access to a user's contacts list. The app uses this information to identify other users through their phone numbers. However, the research team claims that there is no limit to how many queries can be sent through WhatsApp's infrastructure, allowing an attacker to comb through millions of contacts.

In a press release, Gabriel Gegenhuber, the lead author of the disclosure report, notes that this behavior is unusual for large services like WhatsApp:

"Normally, a system shouldn't respond to such a high number of requests in such a short time — particularly when originating from a single source...This behavior exposed the underlying flaw, which allowed us to issue an effectively unlimited requests to the server and, in doing so, map user data worldwide."

Meta has released a patch mitigating this issue, but concerns remain about the privacy of similar contact discovery features. Users may instead disable contacts access entirely to prevent tracking by both messengers and social media platforms.

Alternative messengers have solved this problem by de-emphasizing contact discovery. Signal allows users to manually add and verify contacts via nicknames, while SimpleX and Matrix-based clients like Element do not require phone numbers upon account registration.